Original article excerpt
Server-side extracted preview paragraphs from the original source.
Your dream vibe-coded app might be a security nightmare.
If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement.
Bob Starr was delighted with his vibe-coded website. “Boomberg” showed how much US tax money is going to tech companies, and Starr launched it online immediately after making it. It wasn’t until months after the site went live that he realized there was a problem: a hidden SQL injection risk. It could’ve left the site open for an attacker to read or alter data they shouldn’t have access to.
“It was just a glaring oversight on my part. It was a complete blindspot in my state of learning this new technology and understanding it, and I’m sure there are others making the same mistake,” said Starr, a project manager in the tech sector.
“It was a complete blindspot in my state of learning this new technology and understanding it.”
Starr fixed the issue, but he isn’t alone. Across social media, there are horror stories about vibe-coded apps full of security vulnerabilities. Jer Crane, founder of PocketOS, posted on X about an AI coding agent wiping out his company’s production database. Joe Procopio, a serial entrepreneur and former developer, vibe-coded a web app to privately show demos of other apps he’d built. Hackers came, so he took the app down. “Now I do demos the old fashioned way, from my local machine over Zoom,” he wrote. “It’s sooo 2023.”
We’ve entered a new “era of personal software,” as The Verge’s David Pierce said, where anyone can use AI to create their own private apps that can do exactly what they want. But with it comes a new era of security issues. Apps may be easy to build, but they’re difficult to secure — especially in a world where AI can also be used to attack them.